As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
If this question can be reworded to fit the rules in the help center, please edit the question.

15

Who else would need to know the source code?
–
delnanJan 16 '12 at 20:57

The organizations' financial spreadsheets are closed to most folks also, except for the CFO's team, the execs, and the board. Even in a non-profit, that's usually the rule.
–
Ross PattersonJan 16 '12 at 21:44

Pretend you are the business owner. You just sunk a few hundred thousand dollars into creating a product. What are you going to do? Charity is nice, but so is feeding your family.
–
Lord TydusJan 17 '12 at 2:51

1) Security Issues: If everyone had even just read access to source code, then a hacker would have a wider range of possibilities for accessing the source code. Further, it widens the possibilities for malicious hackers to exploit weaknesses in the code by seeing the source (eg knowing password rules to crack secured data).

2) Intellectual property issues: along similar lines of 1), it would be easier for individuals to copy the source code for illicit use. Code could be expropriated by third-parties, unauthorized versions could be compiled for use, etc.

And that's just with read access. With write access you open up even bigger cans of worms: accidental and/or malicious removal or edits of code, commits of code from unusual locations, messed up code revision trees, etc.

Think of this way: would you let just anyone open up your computer/car/body and let them poke around? Even if they didn't have explicit tools or access to some aspects of it/them? What could possibly go wrong?

Mostly #2; simply concealing the source code usually doesn't do much for security. I've seen no good evidence that F/OS software is less secure than proprietary.
–
David ThornleyJan 16 '12 at 21:20

@DavidThornley Good point, and I agree that it's a pretty weak security measure. However, I'm sure you could find people in software who insist this be done as a security measure, good idea or not.
–
joshin4coloursJan 16 '12 at 21:30

Source code should probably be open for all employees, at least those that have signed a non-disclosure agreement, or whatever the company in question feels they need to threaten people with.

The "security" concern is vastly overblown. It's an open secret that bespoke enterprise software has had little concern for security in its design and construction. Anyone with a fuzzer can generally find as many security holes as they want. That's why most enterprises have their intranets heavily firewalled, and some even have an air-gapped "engineering network" for production systems. Any of the multiplicity of developers that work on any given application can pretty much crash them at will.

The only security concern that's viable is if developers keep passwords (oracle, or OS or whatever) in the source code. But that's a completely separate concern really. Any decent security standard will forbid that absolutely.

Mathematically, there's no security advantage to closed source. See this and
this and the first part of this. Anecdotally, reality works as the math says.

"Intellectual Property" issues are an entirely different beast. Given revelations in the SCO Linux Trials, companies may be protecting themselves from outside legal threats as much as their keeping their own "IP" from leaking out. Nevertheless, the benefit obtained by opening up may be greater than the detriments imposed by legal threats. Very few data points exist, so I believe that the "IP" lawyers or the "Risk Managers" are declaring source closed solely out of superstition. It's easier to say "no" than it is to say "yes" for the usual aparatchik in a corporation.

Disagree. IP theft is far more common than you might think. It is mostly kept very quiet because it is embarrassing.
–
quickly_nowJan 16 '12 at 22:36

Pics or it didn't happen, as the saying goes. I've worked at a lot of places, and either "IP" theft doesn't happen or it doesn't matter. There, my assertion is as good as yours.
–
Bruce EdigerJan 16 '12 at 22:52

@BruceEdiger Read The Dark Side of Software Engineering. Case study after case study and court case after court case of hacking (unauthorized access by employees as well as outside entities), information theft, espionage, and disgruntled employees making private information public. It happens and it matters - it costs a great deal of money, time, resources, and the public's trust in a company.
–
Thomas Owens♦Jan 17 '12 at 0:15

I personally know of a case where the victim didn't even know about the theft. I also know of a number of cases where products I worked on were ripped off (copied) by competitors and the only thing that saved us was that they had no access to software source code or even compiled object code.
–
quickly_nowJan 17 '12 at 1:56

Perhaps the source code is sitting on a separate repository, which means admins may have to set up new accounts for every Tom, Dick and Harry who wants read access. In that case the admins are likely to only set up accounts for those in the team. This is true at my work, even though we have only about 300 people.

Perhaps they don't want to support dozens of different versions all downloaded from random versions from the trunk